12-04-2008 02:13 AM - edited 02-21-2020 03:08 AM
Hi,
I'm testing NAC Appliance with AD SSO. The SSO seems to be Ok. Anyway, users'll be prompted with agent login dialog if they don't login to the AD. In addition, they can't pass the authentication even if they use the correct credential. How can I discard this dialog? I'd like to force them to login to the AD. Please advice.
Thanks,
Nitass
12-12-2008 09:56 PM
the system (PC/Laptop) is already joined the domain.?
12-13-2008 07:33 PM
Sorry I misunderstood. Actually, there are 2 authentication servers. One is Kerberos and the other one is AD SSO. Both are pointed to the same domain controller. The reason I created the Kerberos is for allowing user to login through web login for downloading agent at the first time. After that, AD SSO will be used for authenticating.
Anyway, the problem is if user, laptop, does not login to the domain, the agent dialog will display and still allow user to login via the Kerberos. I do not want thing like this. How can I do? Please advice.
Thanks,
Nitass
12-18-2008 01:03 PM
Nitass,
If you only wish to allow AD logins, then AD SSO should be attempted first which it sounds like it is. If for any reason SSO fails for a user, then you can configure an authentication server that uses Kerberos (AD) or LDAP. This can be same server used for AD SSO, but needs to be a separate authentication server which can be enabled for the user login page. The user login page can have the allowed options which can include one or more auth servers.
Regards,
chyps
12-18-2008 10:51 PM
Hi Chyps,
Would it be possible to use an authentication server (i.e. kerberos) for web login only? I do not want that authentication server to be used by clean access agent in case SSO fails.
Thanks and regards,
Nitass
12-19-2008 08:52 AM
The auth server options selected on the user login page are configurable to a specific VLAN or operating system, so it would be possible to have different auth servers selected for Windows and say Linux/MAC users, but for users that map to same login page, both Web auth and agent-based users (including AD SSO users) will see the same auth server list.
/chyps
12-20-2008 03:13 AM
Hi Chyps,
Thanks. It seems that it could not be possible to only enable Kerberos auth server for web auth (and disable the same Kerberos auth server for agent based).
Thanks again,
Nitass
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide